DMARC -> CERT?

• Previous message (by thread): DMARC -> CERT?
• Next message (by thread): DMARC -> CERT?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Christopher Morrow wrote:
> On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz <laszlo at heliacal.net> wrote:
>> By their statement it's obvious that yahoo doesn't care about what they broke.  It's
>> unfortunate that email has become so centralized that one entity can cause so
>> much 'trouble'.  Maybe it's a good opportunity to encourage the affected mailing list
>> subscribers to use their own domains for email, and host it themselves if possible.
>>
> I sort of wonder if this is really just yahoo trying to use a stick to
> motivate people to do the right thing? It seems like everyone's been
> trying for a while to 'make email better'... and that perhaps DMARC
> will make it somewhat better, and if setup properly this is a
> non-issue... after much faffing: "Welp, how about we whack the
> mail-lists (and others) with a stick and get movement int he right
> direction?"
>
> not sure this is all bad... and i think the fix is pretty
> straightforward for list folk, right? so all the faffing on this list
> and others took longer to do than the fix-action?
>
>
Well, if you consider writing software patches to complicated software 
simple.

And it would certainly help if the guidance on what to do is clearer - 
last week, dmarc.org's FAQ listed, as among the options for list operators:

"Add an Original Authentication Results 
<http://tools.ietf.org/html/draft-kucherawy-original-authres-00> (OAR) 
header to indicate that the list operator has performed authentication 
checks on the submitted message and share the results. " -- which would 
be transparent to list subscribers

but, as of a couple of days ago, that's qualified by:

"*This is not a short term solution.* Assumes a mechanism to establish 
trust between the list operator and the receiver. No such mechanism is 
known to be in use for this purpose at this time. Without such a 
mechanism, bad actors could simply add faked OAR headers to their 
messages to circumvent such measures. OAR was only described as a draft 
document, which expired in 2012. No receivers implementing DMARC are 
currently known to make use of OAR from external sources."

So the low-impact (to end users) fix is now not recommended, and all the 
other available fixes require changes that degrade long-accepted 
functionality of mailing lists (e.g., the ability to reply to the author 
of a message).

Miles Fidelman




-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

• Previous message (by thread): DMARC -> CERT?
• Next message (by thread): DMARC -> CERT?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]